My Oracle Support Banner

Questions About OFSAAI Security Guide (for OFSAAI 7.3.3.0.0) (Doc ID 1680802.1)

Last updated on OCTOBER 31, 2019

Applies to:

Oracle Financial Services Analytical Applications Infrastructure - Version 7.3.3.0.0 and later
Information in this document applies to any platform.

Goal

Below are the Queries raised by the client regarding the OFSAAI 7.3.3.0.0 Security Guide.

Question 1: Section 1.2.3 of the OFSAAI security guide states:

You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and a DESCRIPTION (optional) to the configuration table. The ending numeral in the new PARAMNAME should be higher than any other numbers in the group.
For example, if you want to exclude the evaluation of JS keyword “return”, which has the PARAMNAME XSS_JS_KEYWORDS1, you need to update the keyword numeral to XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category. Ensure that the updated number is higher than any other numbers in the group.

How to add Custom Keywords that are to be blocked?


Question 2: Section 2.2.1 of the OFSAAI security guide has configuration steps for restricting cookies to HTTP sessions. Is this configuration a best practice or a Mandatory step?

Question 3: Section 2.2.2 of the OFSAAI security guide has configuration steps for adding the JSESSIONID in the web container. Is this configuration a best practice or a Mandatory step?

Question 4: Are all the URLs mentioned in $FIC_WEB_HOME/webroot/conf/excludeURLList.cfg file excluded from the XSS/SQL/JS keyword checks? If so, why are the checks being skipped for so many URLs, are these considered harmless URLs?
 

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Goal
Solution


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.